The Payment Card Industry Data Security ( PCI DSS ) is an information security standard for organizations that handle branded credit cards from major card schemes.
PCI standards are mandated by card brands and are managed by the Payment Card Industry Security Standards Board. This standard is made to improve control around the cardholder's data to reduce credit card fraud. Compliance validation is performed annually, either by an external Qualified Security Assessor (QSA) or by a company-specific Draft: Internal Security Assessor (ISA) that creates Compliance Reports for organizations that handle large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies which handles smaller volumes.
Video Payment Card Industry Data Security Standard
History
Five different programs: Visa Cardholder Information Security Program, MasterCard Site Data Protection, American Express Data Safety Operation Policy, Information Security and Compliance Information, and JCB Data Security Program are started by the card company. Each intention is more or less the same: to create an additional level of protection for card issuers by ensuring that merchants meet the minimum level of security when they store, process and transmit cardholder data.
The Payment Card Industry Security Council (PCI SSC) was then established and these companies aligned their respective policies to create PCI DSS.
There are a number of versions:
- 1.0 was released on December 15, 2004.
- 1.1 in September 2006 provides clarification and minor revisions.
- 1.2 was released on October 1, 2008. It enhances clarity, increases flexibility, and addresses risks and growing threats.
- 1.2.1 in August 2009 made small corrections designed to create more clarity and consistency between standard and supporting documents.
- 2.0 was released in October 2010.
- 3.0 was released in November 2013 and active from 1 January 2014 to 31 June 2015.
- 3.1 was released in April 2015, and has been discontinued since October 31, 2016.
- 3.2 was released in April 2016.
Maps Payment Card Industry Data Security Standard
Requirements
The PCI Data Security Standard establishes twelve requirements for compliance, organized into six logically related groups called "control objectives." The six groups are:
- Build and Maintain Secure Networks and Systems
- Protect Cardholder Data
- Manage Vulnerability Management Programs
- Apply Strong Access Control Actions
- Regularly Monitor and Test Networks
- Manage Information Security Policies
Each version of PCI DSS has divided these six requirements into a number of sub-different requirements, but twelve high-level requirements have not changed since the start of the standard.
Updates and additional information
PCI SSC has released some additional information to clarify the various requirements. These documents include the following
- Additional Information: Requirements 11.3 Penetration Testing
- Additional Information: Requirements 6.6 Reviews Code and Application Firewall Clarified
- Navigating the PCI DSS - Understanding the Purposes of the Terms
- Additional Information: PCI DSS Wireless Guidelines
Validation validation
Qualified_Security_Assessor_.28QSA.29 "> Qualified Security Assessors (QSA)Qualified Security Assessors are individuals who have certificates that have been provided by the PCI Security Standards Board. The certified person may audit the merchant for compliance with the Payment Card Industry Data Security Standard (PCI DSS).
Internal Security Assessor (ISA)
The Internal Security Assessor is an individual who has obtained a certificate from the PCI Security Standard Company for its sponsoring organization. This certified person has the ability to conduct PCI self-assessment for his organization. The ISA program is designed to help Level 2 merchants meet the new Mastercard compliance validation requirements.
Compliance Report (ROC)
The Compliance Report is a form that all Visa merchant 1st level merchants must undergo a PCI DSS audit (Payment Card Industry Security Standard). The ROC form is used to verify that the merchant being audited complies with the PCI DSS standard.
Self-Assessment Questionnaire (SAQ)
The PCI DSS self-assessment questionnaire (SAQs) is a validation tool intended to help merchants and service providers report their PCI DSS self-assessment results.
The Self-Assessment Questionnaire is a set of questionnaire documents that must be met by the merchant every year and submitted to their transaction Bank.
Compliance validation compliance
Although PCI DSS must be performed by all entities that process, store or transmit cardholder data, formal validation of PCI DSS compliance is not mandatory for all entities. Currently Visa and MasterCard require merchants and service providers to be validated in accordance with PCI DSS. Visa also offers an alternative program called Technology Innovation Program (TIP) that allows qualified merchants to stop the annual PCI DSS validation assessment. These merchants are eligible if they take alternative precautions against fraudulent fraud such as the use of EMV or Point to Point Encryption.
Publishing banks does not need to be via PCI DSS validation even though they still have to secure sensitive data in a PCI DSS compliant manner. Accepting banks must comply with PCI DSS and also their compliance is validated through audits.
In the event of a security breach, any compromised entity that is inconsistent with PCI DSS at the time of infringement will incur additional penalty penalties, such as fines.
Mandatory compliance
Compliance with PCI DSS is not required by federal law in the United States. However, laws in some U.S. states refer directly to PCI DSS, or make equivalent provisions.
In 2007, Minnesota enacted laws prohibiting the repositories of payment cards.
In 2009, Nevada incorporated standards into state law, which required adherence to merchants doing business in the country with current PCI DSS, and protecting obedient entities from liability.
In 2010, Washington also incorporated standards into state law. Unlike Nevada law, entities do not have to comply with PCI DSS, but dutiful entities are protected from responsibility in the event of a data breach. Article Mitch Stephens - MaxPreps
Compliance and wireless LAN
In July 2009, the Payment Card Industry Security Standards Council issued a wireless guide for PCI DSS recommending the use of wireless intrusion prevention systems (WIPS) to automate wireless scanning for large organizations. The wireless guide clearly defines how wireless security applies to PCI DSS 1.2 compliance.
This guide applies to wireless LAN deployment (WLAN) in the Cardholder Data Environment, also known as CDE s. A CDE is defined as a network environment that stores, processes or sends credit card data.
Classification of Wireless LAN and CDE
The PCI DSS wireless guide classifies CDE into three scenarios depending on how wireless LAN is deployed.
- No known WLAN AP inside or outside CDE : The organization is not using the WLAN AP. In this scenario, the three minimum scanning requirements (Sections 11.1, 11.4 and 12.9) of the PCI DSS apply.
- Got WLAN AP outside CDE : The organization has used WLAN AP outside CDE . This WLAN AP is segmented from CDE by the firewall. No known WLAN AP within CDE . In this scenario, the three minimum scanning requirements (Sections 11.1, 11.4 and 12.9) of the PCI DSS apply.
- Getting WLAN AP in CDE : The organization has implemented WLAN AP within CDE . In this scenario, the three minimum scanning requirements (Sections 11.1, 11.4 and 12.9), as well as the six safe enforcement requirements (Sections 2.1.1, 4.1.1, 9.1.3, 10.5.4, 10.6, and 12.3) of PCI DSS apply.
Key parts of PCI DSS 1.2 that are relevant for wireless security are classified and defined below.
Requirements for safe use for wireless LAN
This safe placement requirement applies only to organizations that have known WLAN AP within CDE . The purpose of this requirement is to deploy WLAN AP with proper protection.
- Section 2.1.1 Change Default : Change the default password, SSID on the wireless device. Enable WPA or WPA2 security.
- Section 4.1.1 802.11i Security : Set up AP in WPA or WPA2 mode with 802.1X authentication and AES encryption. Use of WEP in CDE is not allowed after 30 June 2010.
- Section 9.1.3 Physical Security : Limits physical access to known wireless devices.
- Section 10.5.4 Wireless Logs : Archives centralized wireless access using WIPS for 1 year.
- Section 10.6 Log Reviews : Review the daily wireless access log.
- Section 12.3 Usage Policy : Develop a usage policy to register all wireless devices on a regular basis. Develop possible uses for wireless device usage.
Minimum scanning requirements for wireless LAN
This minimum scanning requirement applies to all organizations regardless of wireless LAN deployment type in > CDE . The purpose of this requirement is to eliminate any malicious or unauthorized WLAN activity within CDE .
- Section 11.1 Quarterly Wireless Scan : Scan all sites with CDE do they already know WLAN AP in CDE . Site sampling is not allowed. WIPS is recommended for large organizations because it is not possible to scan manually or perform a wireless security audit of a walk of all sites every three months
- Section 11.4 Monitor Alerts : Enable the automatic WIPS warning to immediately notify malicious device personnel and unauthorized wireless connections to CDE .
- Sectional 12.9 Eliminate Threats : Set up incident response plan to monitor and respond to warnings from WIPS. Enable auto retention mechanisms in WIPS to block rogues and unauthorized wireless connections.
Call center compliance
- While the PCI DSS standard is very explicit about the requirements for back end storage and CHD (Data Card Access) access, The Payment Card Industry Security Standard has said very little about gathering that information on the front, either through websites, interactive website systems or call center agents. This is surprising, given the high potential threat to credit cards and data compromises called call centers.
At the call center, customers read their credit card information, CVV code, and expiry date to a call center agent. There are some controls that prevent agents from skimming (credit card fraud) this information with a recorder or computer or a physical notebook. In addition, almost all call centers use some sort of call recording software, which captures and stores all this sensitive consumer data. This recording is accessible to a number of call center personnel, often unencrypted, and generally not included in the PCI DSS standards outlined here. Home-based phone agents pose additional level challenges, which require companies to secure channels from home-based agents through call center hubs to reseller applications.
To address some of these issues, on March 18, 2011 the Payment Card Industry Security Standard Council issued a revised FAQ on call center recording. The bottom line is that the company can no longer store digital recordings that include sensitive card data if the recording can be asked.
Technological solutions can also completely prevent skimming (credit card fraud) by agents. At the point of transaction where an agent needs to collect credit card information, calls can be transferred to the Interactive Voice Response system. It protects sensitive information, but can create awkward customer interactions. Solutions like self-automation do not allow agents to capture credit card information without ever seeing or hearing it. Agents remain on the phone and customers enter their credit card information directly into the customer relationship management software using their phone keypad. Agent-assistance automation can trip over but if the caller re-reads the digits as they enter it. DTMF tones are fully pressed or converted to monotone so agents can not recognize them and so they can not be recorded. Some secure payment platforms allow for the concealment of DTMF tones, but are still recorded as DTMF tones by the call recorder in place or host. Traditionally the only way to press DTMF tones is to intercept calls in the trunk using sophisticated servers and calling cards to do so. In this way it is possible to emphasize or mask the DTMF tone to the call recorder, as well as the agent.
As recently as June 2014, we saw the introduction of cloud-based phone payment solutions hitting the market, but there are still challenges with such deployments because calls need to be redirected to the cloud platform before they can be executed onward to the call center. This is done so that the cloud server can intercept the call to control DTMF tones for secure masking or pinching both to the agent and the cloud call recorder. If through a cloud network, there is no hardware or software that needs to be installed in the organization itself, though cloud solutions remain logistical and challenging integration for both service providers and merchants.
The benefits of enhancing security around the collection of personally identifiable information go beyond credit cards to include helping merchants win because of
Controversy and criticism
According to Stephen and Theodora "Cissy" McComb, owner of Cisero's Ristorante and Nightclub in Park City, Utah (who was fined for offenses committed by two forensic companies can not find any evidence), "PCI systems lack systems to secure customer card data rather than systems to reap fortune for card companies through fines and penalties Visa and MasterCard impose fines on merchants even when there is no fraud loss at all, simply because the fines 'benefit them.' "
In addition, Michael Jones, CIO Michaels' Stores, testified before the US Congressional subcommittee on PCI DSS, said "(... the requirements of PCI DSS...) is very expensive to implement, confusing to obey, and ultimately subjective, both in interpretation them and in its enforcement, it is often stated that there are only twelve 'Requirements' for PCI compliance.There are even more than 220 sub-requirements, some of which can put a tremendous burden on retailers and many are subject to interpretation . "
In contrast, others claim that PCI DSS is a step to make all businesses pay more attention to IT security, even if minimum standards are not enough to completely eradicate security issues.
"Rules - SOX, HIPAA, GLBA, PCI-credit card industry cards, various disclosure laws, the European Data Protection Act, whatever - have been the industry's best sticks found to beat companies over the head with. Regulation forcing companies to pay more attention to security, and selling more products and services. "- Bruce Schneier
Furthermore, according to PCI Council General Manager Bob Russo's response to the National Retail Federation: The PCI is a "blend of... high specificity and concepts" that enable "stakeholders to have the opportunity and flexibility to work with Qualified Security Assessors (QSA) to determine appropriate security controls in their environments that meet the intent of PCI standards. "
Compliance and compromise
According to Chief Risk Officer Enterprise, Ellen Richey, "... no compromised entity was found in accordance with PCI DSS at the time of the offense." In 2008, the offense of Heartland Payment Systems, a validated organization compliant with PCI DSS, resulted in a compromise of a hundred million card numbers. Around the same time Hannaford Brothers and TJX Companies, also validated as PCI DSS compliant, were also violated as a result of the coordinated efforts of Albert "Segvec" Gonzalez and two unnamed Russian hackers.
The assessment examines the compliance of merchants and service providers with PCI DSS at a particular point in time and often uses a sampling methodology to enable compliance to be demonstrated through representative systems and processes. It is the responsibility of merchants and service providers to achieve, demonstrate, and maintain their compliance at all times well throughout the annual validation/rating cycle and throughout the entire system and process. Although it could be a deterioration in merger compliance and service providers with written standards are the cause of the offense, Hannaford Brothers has received PCI DSS compliance validation one day after the unconscious two-month compromise of its internal system. This failure to be identified by the appraiser indicates that an incompetent compliance verification undermines standard security.
Another criticism lies in the compliance validation required only for Level 1-3 merchants and may be optional for Level 4 depending on the card brand and the acquirer. The Visa compliance validation details for merchants states that the 4 level of merger compliance validation requirements are set by the acquirer, the 4th level merchant Visa is "Traders processing less than 20,000 Visa e-commerce transactions annually and all other merchants process up to 1 million Visa transactions annually". At the same time, over 80% of payment card compromises between 2005 and 2007 affected Level 4 merchants; they handle 32% of transactions.
See also
- Penetration test
- Vulnerability management
- Wireless LAN
- Wireless security
References
Further reading
Bhargav, Abhay (2014). PCI compliance: definitive guide . Boca Raton, FL: Press CRC, Taylor and Francis. ISBN: 9781439887417. OCLCÃ, 878262783. Ã,External links
- Official PCI Security Standards Site Site
- Internal Security Assessment Program (ISA)
- PCI SSC Data Security Standard
- Quick Reference Guide PCI v3
- PCI DSS 3.2 Comprehensive Understanding By Haseen Usman Ahmed
Source of the article : Wikipedia
0 Comments